Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
51ce833e-a8ec-4
Participant

Routing processing order (VPN, PBR, Routing Table)

Jump to solution

Hi,

I would like to know the order of processing routes in a security gateway.

 

Main purpose is to apply PBR rules on traffic that decrypted from site to site VPN or from VPN Routing. is this possible?

0 Kudos
Reply
2 Solutions

Accepted Solutions
_Val_
Admin
Admin

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX. 

View solution in original post

_Val_
Admin
Admin
7 Replies
_Val_
Admin
Admin

Can you elaborate of the use case?

0 Kudos
Reply
51ce833e-a8ec-4
Participant
I'm trying to implement site to site VPN and avoid asymmetric routing.
Let's say we have two sites connected through a GW cluster each site, both managed by the same Security Management.

VPN FWs are connected (via switch) to Core FW (which acts as the default gateway in the network) at each site

VPN FWs are also directly connected to each segment in the network to reduce traffic on Core FW

traffic between VPN domains in this case is going through asymmetric paths and it makes applications go slow (or even not work)

I would like to force traffic between VPN domains to be routed to the Core FW regardless of directly connected subnets in the system routing table

I hope this was clear because I know it's not a usual use-case.
0 Kudos
Reply
_Val_
Admin
Admin

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX. 

View solution in original post

51ce833e-a8ec-4
Participant
Thank you very much !
0 Kudos
Reply
_Val_
Admin
Admin

Anyhow,

 

Here is a quote from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

The following features/blades are not supported with PBR:

  • IPv6
  • URL Filtering
  • IPS
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • VPN Domain Based
  • VPN Route Based
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS
r31N3r
Explorer

Hello Val,

do the restrictions to PBR just hit the networks/IP-Range/IF touched by PBR or have these restrictions impact to the whole gateway?

0 Kudos
Reply
_Val_
Admin
Admin